Archive for the ‘First Amendment’ Category

As the use of license-plate-recognition camera technology to gather and record drivers’ movements started becoming widespread in the United States, people asked a number of questions about the privacy, civil liberty and security implications about the surveillance technology. Last year, the Center for Investigative Reporting looked into privacy questions concerning the use of license-plate readers and found that “a leading maker of license-plate readers wants to merge the vehicle identification technology with other sources of identifying information.” A couple of years ago, the American Civil Liberties Union released a report (pdf) on license-plate readers and how they are used as surveillance devices.

And law enforcement is concerned about how such tech affects privacy rights, as well. In 2009, the International Association of Chiefs of Police issued a report on license-plate-recognition technology and said, “Recording driving habits could implicate First Amendment concerns. […] Mobile LPR units could read and collect the license plate numbers of vehicles parked at addiction counseling meetings, doctors’ offices, health clinics, or even staging areas for political protests.” The privacy and civil liberty questions have led to the cancellation of some license-plate-recognition surveillance programs, including ones in Boston and by the Department of Homeland Security.

One of the biggest questions is: What happens to all the data on innocent individuals? Often, we don’t know what the restrictions are on the collection and use of the data. We have learned some information about what some groups do with the data. Last year, the Washington Post reported that commercial databases gather such location data to sell. In 2013, the ACLU review of license-plate-reader camera technology found that “the approach in Pittsburg, Calif., is typical: a police policy document there says that license plate readers can be used for ‘any routine patrol operation or criminal investigation,’ adding, ‘reasonable suspicion or probable cause is not required.’ […] As New York’s Scarsdale Police Department put it in one document, the use of license plate readers ‘is only limited by the officer’s imagination.’” In 2011, the Washington Postreported that Virginia used the license-plate scanning technology for tax collection.

Now, as a result of the public records request, Ars Technicahas received the entire license-plate-reader dataset of the Oakland Police Department, “including more than 4.6 million reads of over 1.1 million unique plates between December 23, 2010 and May 31, 2014.” And it’s interesting to see what personal information can be gleaned from the surveillance data.

There has been considerable debate about the ethical, privacy, and civil liberty issues surrounding the unauthorized or unknowing retention and use of babies’ blood samples for purposes other than disease-screening in the United States and abroad. Often, parents are not told of the possible lengthy data retention period, possible distribution to other agencies, and possible other purposes for which their children’s blood samples could be used. Now, WNCN in North Carolina looks at the situation, and what it finds shows there are also questions about de-identification or “anonymization” of newborns’ medical data.

Asked what the government plans to do with the data, Scott Zimmerman, director of the N.C. State Public Health Lab, said, “So if an outside agency such as an academic institution approaches us and asks for dried blood spots, there are two approaches that can be taken. One, we can get parental consent to release that dried blood sample to an outside entity. We will not release any DBS that contains patient information without parental consent.”

Zimmerman added, “The only other way DBS are released is if they are de-identified.”

Researchers have shown that, often, data that has been de-identified can be re-identified (or “de-anonymized”), and sensitive data could be linked back to an individual. Therefore, there is a significant privacy concern for individuals’ whose information is shared, without their consent, in this manner. Read more »

At a recent dinner, Uber Senior Vice President Emil Michael suggested that Uber could spend “a million dollars” to hire opposition researchers to dig up dirt on journalists who were critical of the company, a service for hailing taxis, private cars or ride-shares. According toBuzzFeed: “That team could, he said, help Uber fight back against the press — they’d look into ‘your personal lives, your families,’ and give the media a taste of its own medicine.” He mentioned specifically focusing on the private details of the life of journalist Sarah Lacy. Lacy’s response is here. Michael has apologized for his comments, and Uber CEO Travis Kalanick has said Michael’s comments “were terrible and do not represent the company.”

If Uber were to investigate journalists or other critics, it would not be the first company to do so. Two cases involved Germany’s Deutsche Bank and Hewlett-Packard. In 2009, Deutsche Bank fired two executives because of a scandal in which bank executives hired investigators who spied on board members and a shareholder. In early 2006, then-Hewlett-Packard Chair Patricia Dunn hired private investigators that used “pretexting” to acquire the personal phone records of board members and journalists in an effort to locate the source of leaks to the media. (“Pretexting” is a fancy word for “pretending to be someone else in order to get his or her personal information” — in this case, phone records.) There were various criminal and Congressional investigations. Dunn said she didn’t know that the investigators were pretexting, and the charges against her were eventually dismissed. The scandal prompted Congress to pass the Telephone and Records Privacy Act of 2006, which prohibits pretexting to gather phone record data (with exceptions for law enforcement).

BuzzFeed also reported that another Uber executive, the general manager of Uber NYC, did something that also raises privacy questions. During an e-mail exchange with a journalist, the Uber executive “accessed the profile of a BuzzFeed News reporter, Johana Bhuiyan, to make points in the course of a discussion of Uber policies. At no point in the email exchanges did she give him permission to do so.” This raises the specter of an insider misusing or abusing his data-access privileges to invade the privacy of an individual. We’ve talked before about the problems that arise when insiders abuse or misuse their access to individuals’ data. There have been many such cases. Read more »

In a column at Slate, Alvaro M. Bedoya, the founding executive director of the Center on Privacy and Technology at Georgetown Law, writes about “big data” and what widespread data collection on individuals can mean for civil liberties:

Most of the questions, however, focus on how our data should be used. There’s been far less attention to a growing effort to change how our data is collected.

For years, efforts to protect privacy have focused on giving people the ability to choose what data is collected about them. Now, industry—with the support of some leaders in government—wants to shift that focus. Businesses say that in our data-saturated world, giving consumers meaningful control over data collection is next to impossible. They argue that we should ramp down efforts to give individuals control over the initial collection of their data, and instead let industry collect as much personal information as possible. Read more »

Politicoreports on a privacy concerns with a surveillance program to track mail vial “mail covers” in the United States:

Cutting-edge data-gathering techniques may have grabbed the spotlight lately, but it turns out the government has been playing fast and loose with a more old-school surveillance method: snail-mail snooping.

The U.S. Postal Service failed to observe key safeguards on a mail surveillance program with a history of civil liberties abuses, according to a new internal watchdog report that USPS managers tried to keep secret, citing security concerns.

The Office of Inspector General audit of so-called “mail covers” — orders to record addresses or copy the outside of all mail delivered to an individual or an address — found that about 20 percent of the orders implemented for outside law enforcement agencies were not properly approved, and 13 percent were either unjustified or not correctly documented. Read more »

To recap: There has been considerable controversy about the privacy and civil liberties implications of the bulk telephone data collection program revealed by former National Security Agency contractor Edward Snowden. (He revealed several surveillance programs by the agency.) The Review Group on Intelligence and Communications Technologies (created by President Obama in August after the Snowden revelations) issued a report (archive pdf) recommending against the telephone call record database. Recently, the Privacy and Civil Liberties Oversight Board (PCLOB), an independent oversight agency within the executive branch, released a report (archive pdf) on the NSA’s surveillance program that collects telephone records in bulk saying the NSA surveillance program is illegal and should be ended. Federal judges have issued conflicting rulings on the surveillance program. In January, Obama announced reforms and proposed changes to the NSA surveillance programs, including the call record database surveillance program. Obama also issued a “Presidential Policy Directive, PPD-28,” (pdf) concerning signals intelligence activities.

Now, the Office of the Director of National Intelligence has issued an interim progress report (DNI pdf; archive pdf) on implementing PPD-28. In an announcement, Robert Litt, general counsel for the Office of the Director of National Intelligence, and Alexander W. Joel, civil liberties protection officer for the Office of the Director of National Intelligence, said the report “articulates key principles for agencies to incorporate in their policies and procedures, including some which afford protections that go beyond those explicitly outlined in PPD-28. These principles include the following: Ensuring that privacy and civil liberties are integral considerations in signals intelligence activities.”